5.5. Destination NAT with netfilter (DNAT)

最新推荐文章于 2023-06-06 09:00:00 发布

转载最新推荐文章于 2023-06-06 09:00:00 发布 · 427 阅读

文章标签：

#translation #protocols #network #command #service #tcp

转《Guide To IP Layer Network Administration With Linux Version 0.4.4》专栏收录该内容

48 篇文章

订阅专栏

本文介绍了如何利用netfilter进行目的地址转换(DNAT)，包括为所有协议和端口转换单一IP，为特定端口设置DNAT，以及通过SNAT和DNAT模拟完整的网络地址转换。netfilter DNAT不会响应NAT IP的ARP请求，而iproute2 NAT则会自动响应。

5.5. Destination NAT with netfilter (DNAT)

Destination NAT with netfilter is commonly used to publish a service from an internal RFC 1918 network to a publicly accessible IP. To enable DNAT, at least one iptables command is required. The connection tracking mechanism of netfilter will ensure that subsequent packets exchanged in either direction (which can be identified as part of the existing DNAT connection) are also transformed.

In a devilishly subtle difference, netfilter DNAT does not cause the kernel to answer ARP requests for the NAT IP, where iproute2 NAT automatically begins answering ARP requests for the NAT IP.

Example 5.5. Using DNAT for all protocols (and ports) on one IP

[root@real-server]# iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to-destination 10.10.14.2

In this example, all packets arriving on the router with a destination of 10.10.20.99 will depart from the router with a destination of 10.10.14.2.

Example 5.6. Using DNAT for a single port

[root@real-server]# iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 -j DNAT --to-destination 10.10.14.2

Full network address translation, as performed with iproute2 can be simulated with both netfilter SNAT and DNAT, with the potential benefit (and attendent resource consumption) of connection tracking.

Example 5.7. Simulating full NAT with SNAT and DNAT

[root@real-server]# iptables -t nat -A PREROUTING -d 205.254.211.17 -j DNAT --to-destination 192.168.100.17
[root@real-server]# iptables -t nat -A POSTROUTING -s 192.168.100.17 -j SNAT --to-destination 205.254.211.17